autocreate deprecated q

[voytek]

I'm getting "autocreate plugin is deprecated"

I've removed 1) but still see error

am I correct I don't need default IMAP folders in dovecot.conf as they
come from 15-mailboxes.conf ?

# grep autocreate dovecot.conf
  lda_mailbox_autocreate = yes
  mail_plugins = quota sieve autocreate
  mail_plugins = quota imap_quota autocreate

do I just remove BOTH 'mail_plugin ... autocreate' ?


1) removed
  autocreate = INBOX
  autocreate2 = Sent
  autocreate3 = Trash
  autocreate4 = Drafts
  autocreate5 = Junk
  autosubscribe = INBOX
  autosubscribe2 = Sent
  autosubscribe3 = Trash
  autosubscribe4 = Drafts
  autosubscribe5 = Junk

Re: Cannot login with method=GSSAPI

[Erik Haller]

​​I solved the problem. The dovecot auth_gssapi_hostname entry did not have
a correct reverse DNS entry.

Example:

mail.example.com had an IP of 192.168.1.3 and the reverse pointer record
for 192.168.1.3 was a different hostname; i.e. orange.example.com.

Kerberos gssapi is strict.

Thank you for your help.​

On Tue, Aug 15, 2017 at 11:55 PM, Aki Tuomi  wrote:

> The disconnect (no auth attempts) means that the client did not see any
> reason to try logging in.
>
> You can use https://wiki.mozilla.org/MailNews:Logging to enable debug
> logging.
>
> Aki
>
>
> On 16.08.2017 09:50, Erik Haller wrote:
> > I am migrating an existing dovecot server to a new server. The existing
> > server uses pam_krb5 and works with the plain and gssapi methods. The new
> > server plain/pam_krb5 normal password authentication works. However, the
> > gssapi (tickets) authentication is producing the following error:
> >
> > === Begin Error 
> >
> > imap-login: Disconnected (no auth attempts in 0 secs): user=<>,
> > rip=192.168.7.61, lip=192.168.7.97, TLS, session=
> >
> > === End Error ===
> >
> > What is causing the "user=<>"? It should be "user=".
> >
> > I have been using Thunderbird SSL GSSAPI from a Debian Linux
> testing/buster
> > XFCE desktop to connect to the existing server for years. When I point it
> > to the new server, I receive the above error.
> >
> > ssh kerberos gssapi authentication is working fine on the new server.
> >
> > Most of the doveconf setting between the existing and new servers are the
> > same.
> >
> > The existing server is 32 bit. The new server is 64 bit running in an LXC
> > container. The existing server dovecot version is the same as the new
> > server.
> >
> >
> > Notes:
> >
> > dovecot version: 2.2.31 (65cde28)
> > OS: Debian Linux testing/buster
> > Arch: amd64
> >
> > Client: Mozilla Thunderbird 52.2.1 (latest)
>

Re: correct permissions /etc/dovecot ?

[Tanstaafl]

On Wed Aug 16 2017 02:57:32 GMT-0400 (Eastern Standard Time),
voy...@sbt.net.au  wrote:
> what permissions/ownership should /etc/dovecot/files have?

It would be nice if Dovecot had something like Postfix's set-permissions
command.

Re: v2.2.32 release candidate released

[Joseph Tam]

Timo Sirainen wrote:


There are various changes in this release that can be used to significantly 
reduce disk IO with:
1) NFS storage especially, but I guess also other remote filesystems and even 
some with local disks
2) When mail storage and INDEX storage are separated


Thanks for these changes!  Big win for my setup.  My servers are not
overly stressed, but how much performance gain (using any metric you
choose) can one expect from these changes?


 + mail_location can now include VOLATILEDIR= parameter. This
   is used for creating lock files and in future potentially other
   files that don't need to exist permanently. The path could point to
   tmpfs for example. This is especially useful to avoid creating lock
   files to NFS or other remote filesystems. For example:
   mail_location=sdbox:~/sdbox:VOLATILEDIR=/tmp/volatile/%2.256Nu/%u


Is "/tmp/volatile" auto-created, or must be pre-created?


 + mail_location's LISTINDEX= can now contain a full path.
   This allows storing mailbox list index to a different storage
   than the rest of the indexes, for example to tmpfs.


Is this in any way related to VOLATILEDIR?  Can they be set to the same
value without problems?


 + mail_location can now include NO-NOSELECT parameter. This
   automatically deletes any \NoSelect mailboxes that have no children.
   These mailboxes are sometimes confusing to users.


Sorry for my IMAP ignorance, but how can this situation come about?


 + mail_location can now include ITERINDEX parameter. This tells Dovecot
   to perform mailbox listing from the INDEX path instead of from the
   mail root path. It's mainly useful when the INDEX storage is on a
   faster storage.
 + If mailbox_list_index_very_dirty_syncs=yes, the list index is no
   longer refreshed against filesystem when listing mailboxes. This
   allows the mailbox listing to be done entirely by only reading the
   mailbox list index.
 + Added mailbox_list_index_include_inbox setting to control whether
   INBOX's STATUS information should be cached in the mailbox list
   index. The default is "no", but it may be useful to change it to
   "yes", especially if LISTINDEX points to tmpfs.


So as I understand it, the optimzation comes about from segregating mail
data information into 3 parts: raw mail, indices, and volatile components,
putting them into increasingly better performing storage media.

How do these I/O optimizations affect the client's view of a mailbox
if their mailbox is subject to modification outside the dovecot system
(e.g.  procmail, mail readers directly modifies mailbox files)?  Is there
a trade-off between metadata consistency and performance, or it's a
win-win all around?

(I just saw your previous response to someone else, which I'll read more
closely.)

Joseph Tam 

Re: v2.2.32 release candidate released (on Debian 8/Jessie)

[A. Schulze]

Am 15.08.2017 um 22:49 schrieb Timo Sirainen:
> https://dovecot.org/releases/2.2/rc/dovecot-2.2.32.rc1.tar.gz

my buildsystem complain on spelling errors
 - in binaries
-> src/director/director-connection.c: reseting -> resetting
 - in manpages
-> doc/man/doveadm-exec.1.in: wich -> which + No newline at end of file

patches attached.

one other point I notice (not new in this versions) are "warnings" from Debian 
lintian:

I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/auth
N: 
N:This package provides an ELF binary that lacks the use of fortified libc
N:functions. Either there are no potentially unfortified functions called
N:by any routines, all unfortified calls have already been fully validated
N:at compile-time, or the package was not built with the default Debian
N:compiler flags defined by dpkg-buildflags. If built using
N:dpkg-buildflags directly, be sure to import CPPFLAGS.
N:
N:NB: Due to false-positives, Lintian ignores some unprotected functions
N:(e.g. memcpy).
N:
N:Refer to https://wiki.debian.org/Hardening and
N:http://bugs.debian.org/673112 for details.
N:
N:Severity: normal, Certainty: wild-guess
N:
N:Check: binaries, Type: binary, udeb
N: 
I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/config
I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/director
I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/gdbhelper
I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/imap
I: dv-dovecot: hardening-no-fortify-functions 
usr/lib/dovecot/libdovecot-login.so.0.0.0
I: dv-dovecot: hardening-no-fortify-functions 
usr/lib/dovecot/modules/lib10_quota_plugin.so
I: dv-dovecot: hardening-no-fortify-functions 
usr/lib/dovecot/modules/lib20_fts_plugin.so
I: dv-dovecot: hardening-no-fortify-functions 
usr/lib/dovecot/modules/lib20_replication_plugin.so
I: dv-dovecot: hardening-no-fortify-functions 
usr/lib/dovecot/modules/lib99_welcome_plugin.so
I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/quota-status
I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/script
I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/script-login
I: dv-dovecot: hardening-no-fortify-functions usr/lib/dovecot/xml2text

the text mention "CPPFLAGS" which occour exact two times in my Buildlog:
 1. as parameter to configure
 2. in that warning

I read this as "configure get an evironment variable "CPPFLAGS" and completely 
ignore them.
full buildlog (for Debian Jessie, using aclocal-1.14, btw...) at 
https://andreasschulze.de/tmp/dv-dovecot_2.2.32~rc1-2017081601_amd64.build.txt

Andreas
Description: lintian: wich -> which
Author: A. Schulze
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: dovecot-2.2.32~rc1/doc/man/doveadm-exec.1.in
===
--- dovecot-2.2.32~rc1.orig/doc/man/doveadm-exec.1.in
+++ dovecot-2.2.32~rc1/doc/man/doveadm-exec.1.in
@@ -28,7 +28,7 @@ the name of an executable located in
 .\"-
 .TP
 .I binary arguments
-options and arguments, wich will be passed through to the
+options and arguments, which will be passed through to the
 .IR binary .
 .\"
 .SH EXAMPLE
@@ -44,4 +44,4 @@ user\(aqs mailbox.
 .\"
 .SH SEE ALSO
 .BR doveadm (1),
-.BR dovecot\-lda (1)
\ No newline at end of file
+.BR dovecot\-lda (1)
Description: lintian: reseting -> resetting
Author: A. Schulze
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: dovecot-2.2.32~rc1/src/director/director-connection.c
===
--- dovecot-2.2.32~rc1.orig/src/director/director-connection.c
+++ dovecot-2.2.32~rc1/src/director/director-connection.c
@@ -770,7 +770,7 @@ static bool director_cmd_director(struct
 	}
 	/* just forward this to the entire ring until it reaches back to
 	   itself. some hosts may see this twice, but that's the only way to
-	   guarantee that it gets seen by everyone. reseting the host multiple
+	   guarantee that it gets seen by everyone. resetting the host multiple
 	   times may cause us to handle its commands multiple times, but the
 	   commands can handle that. however, we need to also handle a
 	   situation where the added director never comes back - we don't want
@@ -1469,7 +1469,7 @@ director_connection_sync_host(struct dir
   timestamp);
 			return FALSE;
 		} else if (seq < host->last_sync_seq) {
-			i_warning("Last SYNC seq for %s appears to be stale, reseting "
+			i_warning("Last SYNC seq for %s appears to be stale, resetting "
   "(seq=%u, timestamp=%u -> seq=%u, timestamp=%u)",
   host->name, host->last_sync_seq,
   host->last_sync_timestamp, seq, timestamp);

Re: weakforced

[Mark Moseley]

On Tue, Jul 18, 2017 at 10:40 PM, Aki Tuomi  wrote:

>
>
> On 19.07.2017 02:38, Mark Moseley wrote:
> > I've been playing with weakforced, so it fills in the 'fail2ban across a
> > cluster' niche (not to mention RBLs). It seems to work well, once you've
> > actually read the docs :)
> >
> > I was curious if anyone had played with it and was *very* curious if
> anyone
> > was using it in high traffic production. Getting things to 'work' versus
> > getting them to work *and* handle a couple hundred dovecot servers is a
> > very wide margin. I realize this is not a weakforced mailing list (there
> > doesn't appear to be one anyway), but the users here are some of the
> > likeliest candidates for having tried it out.
> >
> > Mainly I'm curious if weakforced can handle serious concurrency and
> whether
> > the cluster really works under load.
>
> Hi!
>
> Weakforced is used by some of our customers in quite large
> installations, and performs quite nicely.
>
>
>

Cool, good to know.

Do you have any hints/tips/guidelines for things like sizing, both in a
per-server sense (memory, mostly) and in a cluster-sense (logins per sec ::
node ratio)? I'm curious too how large is quite large. Not looking for
details but just a ballpark figure. My largest install would have about 4
million mailboxes to handle, which I'm guessing falls well below 'quite
large'. Looking at stats, our peak would be around 2000 logins/sec.

I'm also curious if -- assuming they're well north of 2000 logins/sec --
the replication protocol begins to overwhelm the daemon at very high
concurrency.

Any rules of thumb on things like "For each additional 1000 logins/sec, add
another # to setNumSiblingThreads and another # to setNumWorkerThreads"
would be super appreciated too.

Thanks! And again, feel free to point me elsewhere if there's a better
place to ask. For a young project, the docs are actually quite good.

dotlock causing crashes

[Ian Bobbitt]

OS: CentOS 7 x86_64
Dovecot version: 2.2.31 (65cde28) (GhettoForge RPM)
Filesystem: GlusterFS, but working on changing that. Only one server is 
receiving activity.

Was getting messages about corrupt dovecot.map.index files. Changed to dotlock 
from fcntl to try to fix that.

Reading symbols from /usr/libexec/dovecot/imap...(no debugging symbols 
found)...done.
[New LWP 74012]
Core was generated by `dovecot/imap'.
Program terminated with signal 6, Aborted.
#0  0x7fa262c741d7 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt full
#0  0x7fa262c741d7 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
resultvar = 0
pid = 74012
selftid = 74012
#1  0x7fa262c758c8 in __GI_abort () at abort.c:90
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x7ffd7009f401, sa_sigaction 
= 0x7ffd7009f401}, sa_mask = {__val =
{0, 0, 140335431377968, 140335423109592, 140335422613219, 4246482, 
140335418575669, 12278048, 4192326493288016896,
12278592, 140335423192931, 0, 0, 140335425698848, 12280232, 140726483153732}}, 
sa_flags = 1657305400, sa_restorer = 0x79a}
sigs = {__val = {32, 0 }}
#2  0x7fa26309eac6 in default_fatal_finish (type=, 
status=status@entry=0) at failures.c:201
backtrace = 0xbb5958 "/usr/lib64/dovecot/libdovecot.so.0(+0x9eace) 
[0x7fa26309eace] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x9ebae) [0x7fa26309ebae] -> 
/usr/lib64/dovecot/libdovecot.so.0(i_fatal+0)
[0x7fa26303012c] -> /usr"...
#3  0x7fa26309ebae in i_internal_fatal_handler (ctx=0x7ffd7009f4d0, 
format=, args=) at
failures.c:670
status = 0
#4  0x7fa26303012c in i_panic (format=format@entry=0x7fa2630d11de "file %s: 
line %d: unreached") at failures.c:275
ctx = {type = LOG_TYPE_PANIC, exit_status = 0, timestamp = 0x0, 
timestamp_usecs = 0}
args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 
0x7ffd7009f5d0, reg_save_area = 0x7ffd7009f510}}
#5  0x7fa2630a344f in file_lock_do (fd=fd@entry=20, path=path@entry=0xbb5868
"/gnoc/mail/home/bgeels/mail/mailboxes/Junk/dbox-Mails/.vsize.lock23f657caa43d8796",
 lock_type=lock_type@entry=1,
lock_method=lock_method@entry=FILE_LOCK_METHOD_DOTLOCK, timeout_secs=0, 
error_r=error_r@entry=0x7ffd7009f768) at
file-lock.c:285
lock_type_str = 0x7fa2630e6948 "write-lock"
started = 1502905468
ret = 
__FUNCTION__ = "file_lock_do"
#6  0x7fa2630a3796 in file_wait_lock_error (fd=20, path=0xbb5868
"/gnoc/mail/home/bgeels/mail/mailboxes/Junk/dbox-Mails/.vsize.lock23f657caa43d8796",
 lock_type=1,
lock_method=FILE_LOCK_METHOD_DOTLOCK, timeout_secs=, 
lock_r=0xc4ec10, error_r=0x7ffd7009f768) at
file-lock.c:314
ret = 
#7  0x7fa2630a3813 in file_try_lock_error (fd=, 
path=, lock_type=lock_type@entry=1,
lock_method=lock_method@entry=FILE_LOCK_METHOD_DOTLOCK, 
lock_r=lock_r@entry=0xc4ec10,
error_r=error_r@entry=0x7ffd7009f768) at file-lock.c:66
No locals.
#8  0x7fa2630a0955 in try_create_new (error_r=0x7ffd7009f768, 
lock_r=0xc4ec10, fd_r=0x7ffd7009f700,
set=0x7ffd7009f770, path=0xc2f930 
"/gnoc/mail/home/bgeels/mail/mailboxes/Junk/dbox-Mails/.vsize.lock") at
file-create-locked.c:65
fd = 20
orig_errno = 
ret = -1
temp_path = 0xbb5830
mode = 0
uid = 
gid = 4294967295
#9  file_create_locked (path=0xc2f930 
"/gnoc/mail/home/bgeels/mail/mailboxes/Junk/dbox-Mails/.vsize.lock",
set=set@entry=0x7ffd7009f770, lock_r=lock_r@entry=0xc4ec10, 
created_r=created_r@entry=0x7ffd7009f767,
error_r=error_r@entry=0x7ffd7009f768) at file-create-locked.c:118
i = 0
fd = 
ret = 
__FUNCTION__ = "file_create_locked"
#10 0x7fa2633e8f80 in vsize_update_lock_full (update=0xc4ebd0, 
lock_secs=lock_secs@entry=0) at index-mailbox-size.c:150
box = 0xc2e268
perm = 0xc2e440
set = {lock_timeout_secs = 0, lock_method = FILE_LOCK_METHOD_DOTLOCK, 
mode = 384, uid = 0, gid = 4294967295,
gid_origin = 0xc2ea58 "/gnoc/mail/home/bgeels/mail/mailboxes/Junk"}
error = 0x7fa2633f2062  
"1\300[]A\\\303\017\037\200"
created = false
#11 0x7fa2633e9057 in index_mailbox_vsize_update_try_lock 
(update=) at index-mailbox-size.c:167
No locals.
#12 0x7fa2633e9755 in index_mailbox_vsize_update_appends (box=) at index-mailbox-size.c:479
update = 0xc4ebd0
status = {messages = 1323, recent = 0, unseen = 0, uidvalidity = 
1413091786, uidnext = 6750, first_unseen_seq =
0, first_recent_uid = 5886, last_cached_seq = 0, highest_modseq = 0, 
highest_pvt_modseq = 0, keywords = 0x0,
permanent_flags = 0, flags = 0, permanent_keywords = 0, allow_new_keywords = 0, 
nonpermanent_modseqs = 0,
no_modseq_tracking = 0, have_guids = 1,
  have_save_guids = 1, have_only_guid128 = 0}
#13 0x7fa2633f633c in 

Question (haven't tried yet)

[Ivan Warren]

Hello,

I have a question : if I have multiple servers sharing a single disk 
space (NFS... cluster), and a message is delivered via say LMTP or LDA 
to a mailbox, and an IMAP client is in IDLE mode on another server, Will 
it get notified of the arrival of the new message (and if yes, how ?)


Thanks,

--Ivan




smime.p7s
Description: Signature cryptographique S/MIME

Re: v2.2.32 release candidate released

[Alexey Asemov (Alex/AT)]

Hello Timo,

Many thanks for the explanation, it really clarified things.
I'll go for option (b) "Use mailbox_list_index_very_dirty_syncs=no and 
put LISTINDEX to local" then and write later on if there are any issues 
with it.

FTS Lucene Search by Word Parts

[Webert de Souza Lima]

Hello,

as the dovecot documentation is only trivial for FTS Search options, I
can't find information on advanced options.

I have enabled it but it seems I can only search for entire words, i.e. the
word Dovecot can be found by searching "dovecot", but not "dove".

Is it possible to achieve this using FTS Lucene?

I know that using Solr that achievable setting n-gram.

Regards,

Webert Lima
DevOps Engineer at MAV Tecnologia
*Belo Horizonte - Brasil*

Compiling problem on Debian Jessie with dovecot-2-2-32.rc1

[Ralf Zimmermann]

I cant' do ./configure && make && make install on a Debian Jessie. How can I 
fix this?

#make
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash 
/usr/local/src/dovecot-2.2.32.rc1/missing aclocal-1.15 -I . -I m4
/usr/local/src/dovecot-2.2.32.rc1/missing: line 81: aclocal-1.15: command not 
found
WARNING: 'aclocal-1.15' is missing on your system.
 You should only need it if you modified 'acinclude.m4' or
 'configure.ac' or m4 files included by 'configure.ac'.
 The 'aclocal' program is part of the GNU Automake package:
 
 It also requires GNU Autoconf, GNU m4 and Perl in order to run:
 
 
 
Makefile:497: recipe for target 'aclocal.m4' failed
make: *** [aclocal.m4] Error 127

# aclocal --version
aclocal (GNU automake) 1.14.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv2+: GNU GPL version 2 or later 

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Tom Tromey 
   and Alexandre Duret-Lutz .

# aclocal
configure.ac:319: warning: macro 'AM_ICONV' not found in library

# autoconf
configure.ac:319: error: possibly undefined macro: AM_ICONV
  If this token and others are legitimate, please use m4_pattern_allow.
  See the Autoconf documentation.

# autoreconf -i -f
aclocal: error: couldn't open directory 'm4': No such file or directory
autoreconf: aclocal failed with exit status: 1

Greets

Ralf Zimmermann


signature.asc
Description: Message signed with OpenPGP

Re: v2.2.32 release candidate released

[Timo Sirainen]

On 16 Aug 2017, at 8.37, Alexey Asemov (Alex/AT)  wrote:
> 
> Hello Timo,
> 
> I am quite eager to test it, but I don't know if these changes can be 
> applicable for my configuration (it is shared storage one, any mdbox on NFS 
> can be accessed by multiple servers, I made it so it's mostly accessed by 
> one, but at certain conditions multiple servers still access mailbox 
> simultaneously).
> 
> So if possible I want to ask few dumb questions:
> 
> - I assume VOLATILEDIR can't be used with configurations where multiple 
> servers access the same mdbox because lockfiles need to be shared as well? Or 
> does this option touch only some (lock)files that do not need to be shared 
> between servers accessing same mailbox?

If you're using e.g. Dovecot director, it should be very unlikely that multiple 
servers access the same user simultaneously. Currently only two lock files use 
VOLATILEDIR:

 * .vsize.lock: Used to update folder's size in dovecot.index. So the worst 
that can happen is that the vsize becomes wrong. If you're using quota=count, 
it could become wrong. But this gets fixed automatically anyway later on.
 * autoexpunge.lock : Only used if you have autoexpunge settings.

> - Would LISTINDEX indexes be regenerated properly for mdbox if 
> lost/corrupted? Properly, meaning without losing flags, message numbering or 
> some other vital data. If yes, then I assume they can be stored on local 
> storage per server, and not on NFS. If LISTINDEX can be regenerated, will 
> LISTINDEX be updated if it's detected to be obsolete compared to accessed 
> mdbox contents?

dovecot.list.index* don't have any especially vital information, like message 
flags. So it can be fully regenerated. You have 3 options actually:

a) Use mailbox_list_index_very_dirty_syncs=yes and keep LISTINDEX in NFS: This 
optimizes LIST
b) Use mailbox_list_index_very_dirty_syncs=no and put LISTINDEX to local: This 
automatically updates the list index as necessary, but it does some extra 
stat()s on the folders to make sure they're up-to-date in the list index.
c) Use mailbox_list_index_very_dirty_syncs=yes and put LISTINDEX to local: This 
fully trusts the locally cached list indexes. It works only if you can 
guarantee that the local list indexes aren't obsolete. So it requires some 
scripting. For example you can store in NFS or in Redis or elsewhere the user's 
last backend hostname. Then create a post-login script that deletes the list 
indexes if the hostname doesn't match the current server where user is logging 
in. This can also be optimized to run the script only when the hostname changes 
by using the new userdb postlogin socket and %{if...} that is coming to 
v2.2.33. Although there are also other ways.

Re: correct permissions /etc/dovecot ?

[Tom Hendrikx]

On 16-08-17 08:57, voy...@sbt.net.au wrote:
> what permissions/ownership should /etc/dovecot/files have?
> 
> keep seeing this error below, I can correct as per log, BUT, wanted first
> to check what it should be, rather than me 'fiddling'
> 
> thanks, V
> 
> SQL user is vmail
> first_valid_uid = 2000
> last_valid_uid = 2000
> 
> # ls -al
> total 60
> drwxr-xr-x  5 rootroot4096 Aug 16 14:45 .
> drwxr-xr-x 82 rootroot4096 Aug 16 08:34 ..
> drwxr-xr-x  2 rootroot4096 Aug 12 21:22 conf.d
> -rw---  1 vmail   dovecot0 Nov  5  2013 dovecot-master-users-password
> -rw---  1 vmail   dovecot  735 Aug 16 14:45 dovecot-mysql.conf
> -rw---  1 vmail   dovecot  491 Aug 15 23:09 dovecot-share-folder.conf
> -rw---  1 vmail   dovecot  320 Aug 15 23:09 dovecot-used-quota.conf
> -rw-r--r--  1 rootroot3414 Aug 16 14:43 dovecot.conf
> 
> 
> Aug 16 16:28:01 auth: Error: passwd-file:
> open(/etc/dovecot/dovecot-master-users-password) failed: Permission denied
> (euid=97(dovecot) egid=97(dovecot) missing +r perm:
> /etc/dovecot/dovecot-master-users-password, dir owned by 0:0 mode=0755)

The auth daemon (which has nothing to do with delivery) needs access to
the mysql database, and wants to read the master user password file. The
auth daemon runs as user 'dovecot' which is, according to your directory
listing, not allowed to access the file. The error message is quite clear.

You could probably set ownership to vmail/dovecot with permissions 440
to fix it. If you're only allowing minimal permissions, why would user
vmail need write access to that file?

Kind regards,
Tom

correct permissions /etc/dovecot ?

[voytek]

what permissions/ownership should /etc/dovecot/files have?

keep seeing this error below, I can correct as per log, BUT, wanted first
to check what it should be, rather than me 'fiddling'

thanks, V

SQL user is vmail
first_valid_uid = 2000
last_valid_uid = 2000

# ls -al
total 60
drwxr-xr-x  5 rootroot4096 Aug 16 14:45 .
drwxr-xr-x 82 rootroot4096 Aug 16 08:34 ..
drwxr-xr-x  2 rootroot4096 Aug 12 21:22 conf.d
-rw---  1 vmail   dovecot0 Nov  5  2013 dovecot-master-users-password
-rw---  1 vmail   dovecot  735 Aug 16 14:45 dovecot-mysql.conf
-rw---  1 vmail   dovecot  491 Aug 15 23:09 dovecot-share-folder.conf
-rw---  1 vmail   dovecot  320 Aug 15 23:09 dovecot-used-quota.conf
-rw-r--r--  1 rootroot3414 Aug 16 14:43 dovecot.conf


Aug 16 16:28:01 auth: Error: passwd-file:
open(/etc/dovecot/dovecot-master-users-password) failed: Permission denied
(euid=97(dovecot) egid=97(dovecot) missing +r perm:
/etc/dovecot/dovecot-master-users-password, dir owned by 0:0 mode=0755)

Aug 16 16:29:16 auth: Error: passwd-file:
open(/etc/dovecot/dovecot-master-users-password) failed: Permission denied
(euid=97(dovecot) egid=97(dovecot) missing +r perm:
/etc/dovecot/dovecot-master-users-password, dir owned by 0:0 mode=0755)

Re: Cannot login with method=GSSAPI

[Aki Tuomi]

The disconnect (no auth attempts) means that the client did not see any
reason to try logging in.

You can use https://wiki.mozilla.org/MailNews:Logging to enable debug
logging.

Aki


On 16.08.2017 09:50, Erik Haller wrote:
> I am migrating an existing dovecot server to a new server. The existing
> server uses pam_krb5 and works with the plain and gssapi methods. The new
> server plain/pam_krb5 normal password authentication works. However, the
> gssapi (tickets) authentication is producing the following error:
>
> === Begin Error 
>
> imap-login: Disconnected (no auth attempts in 0 secs): user=<>,
> rip=192.168.7.61, lip=192.168.7.97, TLS, session=
>
> === End Error ===
>
> What is causing the "user=<>"? It should be "user=".
>
> I have been using Thunderbird SSL GSSAPI from a Debian Linux testing/buster
> XFCE desktop to connect to the existing server for years. When I point it
> to the new server, I receive the above error.
>
> ssh kerberos gssapi authentication is working fine on the new server.
>
> Most of the doveconf setting between the existing and new servers are the
> same.
>
> The existing server is 32 bit. The new server is 64 bit running in an LXC
> container. The existing server dovecot version is the same as the new
> server.
>
>
> Notes:
>
> dovecot version: 2.2.31 (65cde28)
> OS: Debian Linux testing/buster
> Arch: amd64
>
> Client: Mozilla Thunderbird 52.2.1 (latest)

Re: Failback mailboxes?

[Dag Nygren]

On Wednesday 16 August 2017 07:34:25 Steffen Kaiser wrote:
> On Wed, 16 Aug 2017, Matt Bryant wrote:
> 
> > hmm if message cannot be written to disk surely it remains on mda queue
> > as not delviered and does not just disappear ? or am i reading this
> > wrong ?!
> 
> as Matt writes your MDA (aka dovecot-lda) returns with an exit code != 0
> and your MTA should queue the message for later re-delivery.
> 
> IMHO, you should look there, if you call dovecot-lda correctly.

You might be perfectly right here and to make it
more complicated I forgot to tell you that procmail
is also involved. I did debug a bit though and
lda-deliver will return the proper return code 75

my .maildelivery files contains the recommended (?)

"|IFS=' ' && exec /usr/bin/procmail -f- || exit 75"

And the procamail recipe has:

| deliver -d $ LOGNAME -m inbox

As the action (just one example).

But still my postfix thinks the message is properly
delivered at a read/write error in the mailstore ???

But this seems to be a postfix configuration problem instead of
a dovecot one so sorry for choosing the wrong group.

Best
Dag

Re: v2.2.32 release candidate released

[Alexey Asemov (Alex/AT)]

Hello Timo,

I am quite eager to test it, but I don't know if these changes can be 
applicable for my configuration (it is shared storage one, any mdbox on 
NFS can be accessed by multiple servers, I made it so it's mostly 
accessed by one, but at certain conditions multiple servers still access 
mailbox simultaneously).


So if possible I want to ask few dumb questions:

- I assume VOLATILEDIR can't be used with configurations where multiple 
servers access the same mdbox because lockfiles need to be shared as 
well? Or does this option touch only some (lock)files that do not need 
to be shared between servers accessing same mailbox?


- Would LISTINDEX indexes be regenerated properly for mdbox if 
lost/corrupted? Properly, meaning without losing flags, message 
numbering or some other vital data. If yes, then I assume they can be 
stored on local storage per server, and not on NFS. If LISTINDEX can be 
regenerated, will LISTINDEX be updated if it's detected to be obsolete 
compared to accessed mdbox contents?


Thanks.

On 15.08.2017 23:49, Timo Sirainen wrote:

https://dovecot.org/releases/2.2/rc/dovecot-2.2.32.rc1.tar.gz
https://dovecot.org/releases/2.2/rc/dovecot-2.2.32.rc1.tar.gz.sig

There are various changes in this release that can be used to significantly 
reduce disk IO with:
1) NFS storage especially, but I guess also other remote filesystems and even 
some with local disks
2) When mail storage and INDEX storage are separated

Re: Failback mailboxes?

[Dag Nygren]

On Wednesday 16 August 2017 07:56:13 Matt Bryant wrote:
> hmm if message cannot be written to disk surely it remains on mda queue
> as not delviered and does not just disappear ? or am i reading this
> wrong ?!

That would be nice. ...

I have the delivery chain postfix -> lda-dovecot and
when postfix has passed the message to lda it will delete
it from the queue. Then when kda-fails it is nowhere to be
found any more.

Could well be my dovecot or positfix config that is wrong...

Best
Dag

Re: Question about mail_location

[Aki Tuomi]

On 16.08.2017 03:34, Laura Steynes wrote:
> In using mysql, in the configuration file we need to specify, in the user
> query,  '/path/ as home, yet but in dovecot.conf, we also are setting
> mail_location, the same thing is it not, so unless I've missed something,
> do we still need to use the path as home in the user query? Do we only need
> set that if it differs from mail_location?
>
> Thanks

It is not necessary to return home variable if mail_home can be templated.

Aki

Re: Failback mailboxes?

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 16 Aug 2017, Matt Bryant wrote:


hmm if message cannot be written to disk surely it remains on mda queue
as not delviered and does not just disappear ? or am i reading this
wrong ?!


as Matt writes your MDA (aka dovecot-lda) returns with an exit code != 0 
and your MTA should queue the message for later re-delivery.


IMHO, you should look there, if you call dovecot-lda correctly.


Dag Nygren 
16 August 2017 at 7:14 am
Thanks for all the advice on how to configure systemd
not to loose my emails after every update. Much appreciated.

But there could be other reasons for the mailboxes not being
writable and what I am really asking for is for
dovecot-lda not to loose the incoming emails into thin air
in these cases.

Could we have some kind of collective place/places where they would
be saved in this case and then reintroduced into the system
after the problem is fixed? One file for example?

Best
Dag
Dag Nygren 
14 August 2017 at 4:24 pm
Hi!

Have been using Fedora as my dovecot server for
some time and am struggling with systemd
at every update.
Fedora insists on setting
ProtectSystem=full in both dovecot.service and postfix.service
at every update of the packages.

This makes my mailstore which is in /usr/local/var/mail
Read-only.

And this makes the incoming emails delivered through
dovecot-lda disappear into /dev/null until I notice
the problem and we lose incoming emails.

My question is:
Is there any way to set up a failback mailstore
for these occasions?

PS! I really hate systemd - Destroys the UNIX way of
doing things with a heavy axe


Best
Dag




- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWZPZYXz1H7kL/d9rAQK/Fwf/TH+njNQhkcnL/Yf8hldhurycZDAmhHH9
VuGrSGpjPFHydEXvYisviWoePyW7SeAYuOo3a5AqAN3ixi+zUhWcL8SUfSEc8P7b
QknOwGKyv8zhhi79FJCvE2Ko9j3WqXYZbzTfuz3xWupthl7nEwJWjppZh3Ldz9Xx
AkeWp+8qN2I4iBt+rkWZV1mAt9Ae7MGzsy3B/wyeQquJroThzgCGsD3dJEGuo9xB
Wk9o8O8VOQhkcpGPFwSPQ39RgbfjRB4RUd19ReeEO4v5iwLQ0EF1eGrz2NAyExN1
dRwx7RYxmnRRGjiBLyP0jYVNY+kWwvuU+/fc/IxPrSW3z/IlhieJ6w==
=nfFm
-END PGP SIGNATURE-

Re: Question about mail_location

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 16 Aug 2017, Laura Steynes wrote:


In using mysql, in the configuration file we need to specify, in the user
query,  '/path/ as home, yet but in dovecot.conf, we also are setting
mail_location, the same thing is it not, so unless I've missed something,
do we still need to use the path as home in the user query? Do we only need
set that if it differs from mail_location?


I can interprete your question in several ways, depending on what you are 
looking for:


https://wiki2.dovecot.org/VirtualUsers/Home
- -> yes, you need a home *and* a separate mail directory for each user

Dovecot can derive the mail_location from home (using ~ or $h), but not 
the other way round. Hence, you need to configure a home directory. Do 
this als default in the userdb section or let it return by the userdb.


You need not configure Mail_location in Dovecot's conf files, if you 
always return home and mail directory from your userdb.


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWZPaxHz1H7kL/d9rAQJQOAf/dDvfjF7pTlLY1tMhwIbPH9JotbAyGWYS
uz+4uE9aISn9+MU6NxIKypuLEQtBqAX1les+XGcgtDgjA7NBqLzIPAlFU7G041Qi
99FIhMWXg39MCLKjWRsHuD8Mm4t4Rj8+wY7xAS2l/BuFxcNVskwShRrJgvU9Xovw
xAUHMRyx5htZjnzBbO2QVQZ5vQVKitqlJwdlwDk+3RFcM/eEQmBZi9/dlwUBJlAi
JdlNqu3zZfDqJ5EKmpscb4A56dxeKlXfuZdv9b72/CHEs892CXnlrXp5fkxOmESJ
1ADNU+KYAGyUz6CMxoh1pTsNRImtXbPbPhiv70SyI/PQPl57iYz/+Q==
=Fkkm
-END PGP SIGNATURE-